Hacking Linksys IP Cameras (pt 2)

This article is a continuation of the following GNUCITIZEN article, which includes an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1).

Privilege escalation via arbitrary file retrieval

The second vulnerability I'll be releasing is an arbitrary(ish) file retrieval vulnerability. It's not fully arbitrary because you can only retrieve the contents of files located within the same directory where the vulnerable CGI program is located. However, this is enough to allow a neat privilege escalation vector where a restricted user that only has permissions to view the video stream, can gain access to the admin account password.

The problem lies within the next_file parameter which is submitted to the main.cgi program. Although main.cgidoes filter characters typically used in directory traversal sequences such as dots (.) and forward slashes (/), it seems that the developer didn't consider that retrieving the contents of files within the current directory could create a security hole. By simply retrieving the contents of .htpasswd a restricted user which only has permissions to access the video stream can access the credentials of the admin account and also the credentials of other restricted users (if applicable).

The only restriction that needs to be bypassed, is dots (.) symbols being filtered. i.e.: the following will not work and will result in a forbidden error:

/img/main.cgi?next_file=.htpasswd
But replacing the dot (`.`) symbol with its hexadecimal equivalent:
/img/main.cgi?next_file=%2ehtpasswd
Will result in the contents of `.htpasswd` being returned. i.e.:
admin:adminpassw0rd user1:pass1 user2:pass2

Like most IP cameras, the Linksys WVC54GCA allows administrators to grant access to the video stream to selected users only (rather than anonymous users who don't need to authenticate). In this case, the admin user can click on the Users menu and tick the Only users in database option (please see screenshot below). After this, all that is needed is to add a username/password pair for the account to grant video-viewing access to:

That works indeed, as long as you're logged in. As long as you only allow one admin user and that's you, it is probably a non-issue.

Rayan

Correct, that only works if you are logged in in another browser session. Try that by closing down all your browsers and then try again with a clean session, it will prompt for the Username and password, if you skip that it will error out.

pagvac

@balt: indeed you need to be logged in. BUT, you DON'T need admin privileges. You can login as a RESTRICTED user (video-viewing permissions only), steal the admin password and finally login as admin. Thus, this vuln serves as a privilege escalation vector as explained in the post.

kwharrigan

Indeed. If you have any user accounts enabled, and they have weak passwords, you might as well have given up your admin account. Seems it is better to run with no passwords than with them as your admin account password is now tied to the strength of N users accounts.
Wow.

Cam

The more recent version of the firmware 1.100R2 resolves this important issue. Thanks for pointing it out - I'm sure that's how Linksys/Cisco fixed the problem. The software on this camera is still a joke- unsigned activeX control for a security camera. That's crazy.

Cam

Should have checked before posting - the latest 1.100R2 firmware includes a signed ActiveX control (finally!)